malwarewikiaorg-20200223-history
ZONEware
ZONEware or ZoneWare is a in-dev ransomware that runs on Microsoft Windows. It was discovered by Lawrence Abrams. The GUI is reminiscent of TeslaWare. Payload Transmission ZONEWare is distributed through spam email attachments. These attachments can take various forms. These forms include archives, links to online cloud services hosting the corrupted file, the Microsoft Office files mentioned above, bad Javascript files, different types of Windows script file and executable files. The key to these attacks is that social engineering tactics may be used to convince the victim that the attached file contains legitimate content, such as an invoice from a shipping company or a photo from a social media website. Infection Once ZONEware has infected a computer, it will connect to its Command and Control server to share information about the infected computer and receive configuration data. ZONEware will install its harmful content in various directories on the infected computer, which may include the following: %AppData% %Local% %LocalLow% %Temp% %Windows% ZONEware will target the user-generated files in its attack. Some of the file types that will be encrypted in a ZONEware Ransomware attack include: .PNG, .PSD, .PSPIMAGE, .TGA, .THM, .TIF, .TIFF, .YUV, .AI, .EPS, .PS, .SVG, .INDD, .PCT, .PDF, .XLR, .XLS, .XLSX, .ACCDB, .DB, .DBF, .MDB, .PDB, .SQL, .APK, .APP, .BAT, .CGI, .COM, .EXE, .GADGET, .JAR, .PIF, .WSF, .DEM, .GAM, .NES, .ROM, .DWG, .DXF, .GPX, .KML, .KMZ, .ASP, .ASPX, .CER, .CFM, .CSR, .CSS, .HTM, .HTML, .JS, .JSP, .PHP, .RSS, .XHTML, .DOC .DOCX, .LOG, .MSG, .ODT, .PAGES, .RTF, .TEX, .TXT, .WPD, .WPS, .CSV, .DAT, .GED, .KEY, .KEYCHAIN, .PPS, .PPT, .PPTX, .INI, .HQX, .MIM, .UUE, .7Z, .CBR, .DEB, .GZ, .PKG, .RAR, .RPM, .SITX, .TAR.GZ, .ZIP, .ZIPX, .BIN, .CUE, .DMG, .ISO, .MDF, .TOAST, .VCD, .SDF .TAR .TAX2014, .TAX2015, .VCF, .AIF, .IFF, .M3U, .M4A, .MID, .MP3, .MPA, .WAV, .3G2, .3GP, .ASF, .AVI, .FLV, .M4V, .MOV, .MP4, .MPG, .RM, .SRT, .SWF, .VOB, .WMV, .3D, .3DM, .3DS, .MAX, .OBJ, .R, .BMP, .DDS, .GIF, .JPG, .CRX, .PLUGIN, .FNT, .FON, .OTF, .TTF, .CAB, .CPL, .CUR, .DESKTHEMEPACK, .DLL, .DMP, .DRV, .ICNS, .ICO, .LNK, .SYS, .CFG. ZONEware delivers a ransom note, which alerts the victim of the attack and demands the payment of a ransom fee after encrypting the victim's files. The ransom note associated with the ZONEware Ransomware reads: ZONEWARE All your important files have been encrypted using military grade encryption algorithm. To decrypt them you need to obtain the private key from us. We are the only who can provide you the key, so don't try to recover the files by yourself, it will only make the situation worse for you. To get this key you have to send the exact amount 0.25376 BTC to the address that you can see on the left or it will not work. The text note dropped by ZONEware delivers the following text: All of your files have been encrypted by The Zone ! If you dont see a gui your anti virus has most likely blocked it, so you just need to pay 80 usd worth of bitcoins to this bitcoin address: 34pSt66TD3AHkubVSQGzRXzdE5oYTFdRm1 Category:Delphi Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan